Geek Answers Handbook

Security Token Length

I use security tokens to create invalid URLs (16 bytes, hexadecimal)

http://example.com/something/private/b5f8c21a628e12b39786fb8ef9561d31

A token is a bit of a common password: who knows that the URL has access to the resource.

How many bytes should a safe random value have for safe URLs?

+7
source share
4 answers

I ended up with a 64 bit random value which is encoded as safe for Base Base. The ability to guess the correct token is 1 / 2^64 , which is equal to 1 / 18446744073709551616 . This is a pretty impressive number, and it would be almost impossible for an attacker to find the correct token with HTTP requests.

The urls now look like this: http://example.com/private/1oWYPiqO81k/

+2
source

You should not hide your URLs as a security method (this is an example of security through obscurity ). You must use the authorization mechanism for secure pages, such as user login with page permissions.

It looks like you are using base-16 encoding (0-9a-f), so until you scan your URL, the probability of guessing the URL is 1/(16^length)

+2
source

It’s good that all applications at some point depend on cryptographic nonce . After all, this is the session identifier or csrf token value. The importance here is that it does not matter how much time it costs if the attacker has 100 years to break it. Now 100 years is a long time, but you should strive to ensure that your projects last so long.

The main security difference between a cookie and your value is that the cookie expires and changes for each use. But in all reality, this value should be avoided at all costs. If this is used for authentication, then rely on the session identifier, so it is there. Do not minimize your session.

+1
source

10 Unicode character URLs, for example, cannot be determined in advance because the tokens are 160 bits long and therefore there are 2 ^ 160 different possible URLs. However, you should not rely on something like that for security, but on a classic login and auth

0
source

More articles:


All Articles